b"DEPARTMENT OF HOMELAND SECURITY\n\n         Office of Inspector General\n\n\n                            Letter Report: \n\n        DHS National Applications Office\n\n             Privacy Stewardship \n\n                  (Redacted)\n\n\n\n\n\nNotice: The Department of Homeland Security, Office of Inspector General, has redacted\nthis report for public release. A review under the Freedom of Information Act will be\nconducted upon request.\n\n\n\n\nOIG-08-35                                                            April 2008\n\x0c                                                          Office ofInspector General\n\n                                                          U.S. Department of Homeland Security\n                                                          Washmgton, DC 20528\n\n\n\n                                                          Homeland\n                                                          Security\n                              April 2, 2008\n\nMEMORANDUM FOR.              Charles E. Allen\n                             Under Secretary for Intelligence & Analysis\n                             Office of IntelliBence & Analysis\n\nFROM:                        Richard L. Skinner\n                             Inspector General\n\nSUBJECT:                     National Applications Office Privacy Stewardship\n\nWe reviewed the Department of Homeland Security (DHS) National Applications Office\n(NAO) privacy stewardship to determine whether NAO's plans and activities instill and\npromote a privacy culture and are in compliance with privacy regulations. Privacy\nstewardship includes establishing privacy requirements prior to program initiation,\nprivacy risk assessment and mitigation, and privacy integration in the program operation.\n\nGenerally, NAO is making good progress in developing an effective privacy program for\nits operations. Specifically, NAO involved the DHS Privacy Office early in program\nplanning and development of key organizational documents. Also, NAO acknowledges\nprivacy requirements and states a commitment to privacy in its Charter. By doing so,\nNAO signaled its intent to incorporate accepted privacy principles in its policies and\noperating procedures. We identified several elements that serve as a framework for\nNAO's privacy stewardship. These include ongoing privacy oversight by departmental\nprivacy and civil liberties officers, public notice of system of records, training ofNAO\npersonnel, and approved risk assessments. However, a revised Privacy Impact\nAssessment and a Civil Liberties Impact Assessment reflecting changes in the Charter are\nstill necessary prior to NAO becoming operational.\n\nWe recommend the Under Secretary for Intelligence & Analysis direct the Director of\nNAO to obtain approval by the DHS Privacy Office of an updated program Privacy\nImpact Assessment reflecting a signed Charter and standard operating procedures and\napproval by the DHS Office for Civil Rights and Civil Liberties ofNAO's Civil Liberties\nImpact Assessment.\n\n\n\n\n                     National Applications Office Privacy Stewardship\n\x0cBackground\nNAO will perform a centralized role to facilitate access to and proper use of various\nintelligence community disciplines and capabilities\n\n\n\n                                                           Within legal boundaries,\nNAO will share intelligence for domestic scientific, geographic, or environmental\nresearch; homeland security; preparation, response, and mitigation of disasters; terrorism\nresponse and mitigation; border protection; and criminal and civil law enforcement.\n\nThe Director of National Intelligence formed a planning team for NAO in September\n2006 and designated the DHS Secretary as Executive Agent of NAO in June 2007. By\nAugust 2007, the DHS Secretary delegated management authority to the Office of\nIntelligence & Analysis, which together with NAO, issued a Concept of Operations.\nDHS intended for NAO to be operational by October 2007. Figure 1, Timeline of Key\nActivities, indicates NAO\xe2\x80\x99s developmental activities and initial privacy stewardship\nactivities from September 2005 to December 2007.\n\nFigure 1: Timeline of Key Activities\n\n\n\n\n                      National Applications Office Privacy Stewardship\n                                             2\n\x0cResults of Review\n\nFramework for Privacy Stewardship is Ready for Implementation\nIn September 2007, NAO sought agreement from partner Departments to finalize its\nCharter. 2 NAO involved the Office of the Director of National Intelligence Civil\nLiberties Protection Office, and the DHS Office of Policy, Privacy Office, and Office for\nCivil Rights and Civil Liberties to ensure that the Charter adequately addresses DHS\npolicies and privacy and civil liberties safeguards. Additionally, NAO added other key\nelements in developing its framework for privacy stewardship and implementing active\nmonitoring of privacy compliance.\n\nThe elements supporting privacy stewardship include: Charter and standard operating\nprocedures, ongoing guidance from DHS and the Office of the Director of National\nIntelligence, privacy and civil liberties training, and public notice of a system of records.\nThe left column of Figure 2, Framework for Privacy Stewardship, shows what elements\nare needed as the foundation for NAO\xe2\x80\x99s framework. The second column identifies what\nNAO is addressing to comply with the legal requirements. In the third column,\ncomments describe the status or a check (9) indicates completion. The last column\nindicates the legal requirement or enabling legislation for oversight groups.\n\nFigure 2: Framework for Privacy Stewardship\n\n    Elements that are Needed            What NAO is Addressing                 Status       Requirement\n\n    1) Legal framework that complies    Charter and standard operating         Pending     Consolidated\n    with existing laws, including all   procedures                            signatory    Appropriations\n    applicable privacy standards                                             concurrence   Act, 2008, H.R.\n                                                                                           2764 \xc2\xa7525\n\n    2) External oversight and           Ongoing guidance and                               6 USC \xc2\xa7142 (DHS\n    monitoring                          monitoring from DHS Privacy              9         Privacy Officer)\n                                        Office, DHS Office for Civil                       and \xc2\xa7345 (Officer\n                                        Rights and Civil Liberties, and                    for Civil Rights and\n                                        Office of the Director of National                 Civil Liberties);\n                                        Intelligence Civil Liberties                       Intelligence\n                                        Protection Officer                                 Reform and\n                                                                                           Terrorism\n                                        Ongoing guidance from DHS                9         Prevention Act of\n                                        Office of Policy, Office of                        2004, P.L. 108-\n                                        General Counsel                                    458, \xc2\xa7103D; 50\n                                                                                           USC 403-1 (ODNI\n                                                                                           Civil Liberties\n                                                                                           Protection Officer)\n\nData as of February 26, 2008\n\n\n\n\n2\n  The draft NAO Charter identifies Departments of Homeland Security, Interior, Justice, and Defense, and\nthe Office of the Director of National Intelligence as its signatories.\n\n                            National Applications Office Privacy Stewardship\n                                                   3\n\x0cThe first element of privacy stewardship is a legal framework that includes a Charter and \n\nstandard operating procedures. The Charter ensures NAO\xe2\x80\x99s compliance with all laws, \n\npolicies and procedures that protect privacy, civil rights, and civil liberties.\n\nThe Charter is a binding agreement among the signatories that describes NAO\xe2\x80\x99s mission, \n\ninfrastructure for operational oversight, and roles and responsibilities of stakeholders, \n\npartners, and customers. Both the Charter and standard operating procedures further \n\ndefine partner and customer interactions because NAO will work with members of the \n\nintelligence community and users outside the intelligence community to support civil, \n\nhomeland security, and law enforcement applications. These procedures embed privacy \n\nprotections into NAO\xe2\x80\x99s daily operations, such as\n\n\n\n\n\nThe second element supporting NAO\xe2\x80\x99s privacy stewardship is external oversight and\nmonitoring. The DHS Privacy Office, DHS Office for Civil Rights and Civil Liberties,\nand Office of the Director National Intelligence-Civil Liberties Protection Office provide\nguidance and monitoring to ensure compliance with privacy and civil liberties\nprotections. The DHS Offices of Policy and General Counsel provide external oversight\nconcerning policy and legal matters. The National Applications Executive Committee is\nthe oversight body for NAO. The three Committee chairs, the Deputy Secretary of DHS,\nthe Deputy Secretary of the Interior, and the Principal Deputy Director of National\nIntelligence will be aided in their oversight roles by their privacy, civil liberties, and civil\nrights advisors.\n\nFigure 2: Framework for Privacy Stewardship (continued)\n\nElements that are Needed             What NAO is Addressing               Status     Requirement\n\n3) Training in privacy awareness     Privacy Awareness and                          Privacy Act of\nand privacy and civil liberties in   intelligence activity training for     9       1974, as\nintelligence activities              personnel including rules,                     amended, 5 USC\n                                     requirements, and penalties for                \xc2\xa7552a (e)(9)\n                                     violations\n\n                                     Customer training                    Planned\n\n4) Published Notice of System of     System of Records Notice                       Privacy Act of\nRecords                              covered by Homeland Security           9       1974, as\n                                     Operations Center                              amended, 5 USC\n                                                                                    \xc2\xa7552a (e)(4)\n\nData as of February 26, 2008\n\n\n\n\n                          National Applications Office Privacy Stewardship\n                                                 4\n\x0cThe third element in NAO\xe2\x80\x99s framework for privacy stewardship is training on privacy\nawareness and intelligence oversight activity.3 As it becomes operational, NAO is\nresponsible for properly administering privacy safeguards for the public and the\nintelligence community. To comply with the Privacy Act of 1974, as amended, NAO\nmust ensure all personnel including customers are properly trained and aware of potential\nprivacy issues and safeguards. 4 In September 2007, NAO complied with the Act\xe2\x80\x99s\nrequirements by providing privacy training, which included rules of conduct and\nconsequences for privacy noncompliance.\n\nTo comply with its draft Charter, NAO must train personnel on the proper conduct of\nintelligence oversight. The DHS Office of General Counsel provided this training to\nNAO personnel in September 2007. As part of NAO\xe2\x80\x99s new employee orientation and\nongoing training programs, personnel will complete both privacy awareness and\nintelligence oversight activity training. NAO also plans to develop specific privacy\ntraining and guidance for its nontraditional customers and applications.\n\nThe fourth element of the privacy stewardship framework is a public notice of NAO\xe2\x80\x99s\nsystem of records. A system of records is a group of records under the control of an\nagency from which information is retrieved by the individual\xe2\x80\x99s name or some other\nidentifier assigned to the individual. The Privacy Act of 1974, as amended, 5 USC 552a\n(e)(4), requires each agency to publish a System of Records Notice (SORN) in the\nFederal Register describing the purpose of the system, the types of information contained\ntherein, and details for individuals to gain access to information relevant to the individual\nstored in the system. NAO\xe2\x80\x99s proposed system of records is covered under the SORN for\nthe Homeland Security Operations Center, 70 F.R. 20061 (April 18, 2005). As NAO\ndevelops its products and services, it will need to review its activities to ensure that any\nnew information that it collects and maintains is appropriately described by the SORN.\n\nNAO Risk Assessments are Being Finalized\nTwo different types of risk assessments on NAO\xe2\x80\x99s program and its information need to\nbe completed. Through a Privacy Impact Assessment, the DHS Privacy Office evaluates\npossible privacy risks and discusses the mitigation of those risks at the beginning and\nthroughout the development life cycle of a program that handles personal data. Through a\nCivil Liberties Impact Assessment, the DHS Office for Civil Rights and Civil Liberties\nwill ensure that the domestic use of intelligence capabilities and products complies with\nconstitutional, statutory, regulatory, policy, and other requirements relating to the civil\nrights and civil liberties of individuals affected.\n\n\n\n3\n  NAO requires training regarding Executive Order 12333 United States Intelligence Activities for personnel\nso its intelligence activities are conducted in a manner that protects the Constitutional rights and privacy of\nU.S. persons. \n\n4\n  The Privacy Act of 1974, as amended, provides protections and handling requirements for records\n\ncontaining information about individuals that are collected and maintained by the federal government and are \n\nretrieved by a personal identifier. \n\n\n                          National Applications Office Privacy Stewardship\n                                                 5\n\x0cThe left column of Figure 3, NAO Risk Assessments, indicates that two different types of\nrisk assessments are needed. The second column indicates the areas of risk that NAO is\nreviewing. In the third column, comments describe the status or a check (9) indicates\ncompletion. The last column lists the requirements for privacy assessments and for the\nreview of civil rights and civil liberties protections in NAO activities.\n\nFigure 3: NAO Risk Assessments\n\nWhat Assessments Are Needed           What NAO is Reviewing          Status       Requirement\n\n1) Approved Privacy Impact            Privacy risks\nAssessments                            a) Program                       9       E-Government Act\n                                       b) Program revisions          Planned    of 2002, P.L. 107-\n                                            resulting from updated              347, \xc2\xa7208 (b)\n                                            Charter and standard\n                                            operating procedures,\n                                            including customer/\n                                            partner processes\n\n2) Approved Civil Liberties Impact    Civil liberties risks          Pending    6 USC \xc2\xa7345\nAssessment                                                           approval   (Officer for Civil\n                                                                                Rights and Civil\n                                                                                Liberties)\n\n\nData as of February 26, 2008\n\nThe first type of assessment, a Privacy Impact Assessment, is required by section 208 of\nthe E-Government Act of 2002. In June 2007, NAO submitted a completed Privacy\nImpact Assessment to the DHS Privacy Office. This assessment described how NAO\nwould comply with the Privacy Act of 1974, as amended. However, NAO\xe2\x80\x99s initial\nprogram plans will change because it is still finalizing its Charter, standard operating\nprocedures, and customer partner processes to gain concurrence by stakeholders and\npartners. Therefore, NAO plans to update its initial Privacy Impact Assessment to reflect\nthose changes.\n\nThe second type of assessment, Civil Liberties Impact Assessment, is the approach that\nDHS Office for Civil Rights and Civil Liberties is using to satisfy its assessment\nrequirements under the Implementing Recommendations of the 9/11 Commission Act of\n2007 (Pub. L. 110-53). The Office for Civil Rights and Civil Liberties is finalizing this\nassessment to ensure that civil liberties are not diminished by programs aimed at securing\nthe homeland.\n\nThe organizational framework for NAO is still under development and waiting for final\napproval. NAO is a complex organization involving many stakeholders, partners and\nconstituents. All of these groups have different concerns and priorities. The Charter,\nprivacy and civil liberties risk assessments, and other key documents create a\nframework that shows how NAO will be capable of accomplishing an important mission\nthat supports existing privacy laws and policies. However, for a framework of privacy\nstewardship to be realized, risk assessments must be based upon NAO\xe2\x80\x99s preliminary\n\n                         National Applications Office Privacy Stewardship\n                                                6\n\x0cactivities to instill a culture of privacy and the standard operating procedures and the\nfinalized Charter.\n\nRecommendations\nWe recommend that the Under Secretary for Intelligence & Analysis direct the Director\nof NAO to:\n\n       Recommendation #1: Obtain approval by the DHS Privacy Office of an updated\n       program Privacy Impact Assessment reflecting a signed Charter and standard\n       operating procedures.\n\n       Recommendation #2: Obtain approved NAO\xe2\x80\x99s Civil Liberties Impact\n       Assessment by the DHS Office for Civil Rights and Civil Liberties.\n\nManagement Comments and OIG Analysis\nWe obtained written comments on a draft of this report from the Under Secretary for\nIntelligence & Analysis. We reviewed the Under Secretary\xe2\x80\x99s suggestions and made\nchanges where appropriate. We have included a copy of the comments in Appendix A.\n\nThe Under Secretary for Intelligence & Analysis concurred with our findings and\nrecommendations. We consider our recommendations resolved, but open pending our\nreview of actions taken by NAO.\n\n*********************\n\nThe review is based on analysis of applicable documentation and interviews with\npersonnel and officials of relevant agencies and institutions. We conducted our audit\nfrom October 19, 2007 to February 29, 2008 under the authority of the Inspector General\nAct of 1978, as amended, and according to generally accepted government audit\nstandards.\n\n\n\n\n                      National Applications Office Privacy Stewardship\n                                             7\n\x0cAppendix A\nManagement Comments\n\n\n\n\n               National Applications Office Privacy Stewardship\n                                      8\n\x0cAppendix B\nMajor Contributors to this Report\n\nSpecial Projects Division\n\nMarj Leaming, Director\nR. Steve Durst, Audit Manager\nMichael Galang, Management and Program Analyst\nKyle Peterson, Management and Program Assistant\nGretchen Trygstad, Management and Program Assistant\n\nAnthony Nicholson, Referencer\n\n\n\n\n                    National Applications Office Privacy Stewardship\n                                           9\n\x0cAppendix C\nReport Distribution\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nUnder Secretary for Intelligence and Analysis\nDeputy Assistant Secretary, Mission Integration\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nActing Director, National Applications Office\nDirector, GAO/OIG Liaison Office\nOffice of Intelligence & Analysis Audit Liaison\nChief Privacy Officer\nOfficer for Civil Rights and Civil Liberties\n\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                      National Applications Office Privacy Stewardship\n                                             10\n\x0cAppendix C\nReport Distribution\n\n\n\n\n Additional Information and Copies\n To obtain additional copies of this report, call the Office of Inspector General\n (OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\n site at www.dhs.gov/oig.\n\n\n OIG Hotline\n To report alleged fraud, waste, abuse or mismanagement, or any other kind of\n criminal or noncriminal misconduct relative to department programs or\n operations:\n\n     \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n     \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n     \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n     \xe2\x80\xa2\t   Write to us at:\n            DHS Office of Inspector General/MAIL STOP 2600, Attention:\n            Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n            Washington, DC 20528.\n\n The OIG seeks to protect the identity of each writer and caller.\n\x0c"